-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssl-passthrough config lost for ingress on config reload when --disable-full-test is set #10386
Comments
This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/remove-kind bug this message
shows a loopback ipaddress and it sort of implies you want a TLS connection to the ingress-controller pod on its internal loopback interface. Does not make sense. Much more data is needed as to understand this. Please try to add info here like ;
/remove-kind bug |
"shows a loopback ipaddress and it sort of implies you want a TLS connection to the ingress-controller pod on its internal loopback interface" ---> that is the subject .... it is not what we want. it is SSL Passtrough set up , we should never see the request going to 127.0.0.1:442. But sometimes on some reloads it's append when --disable-full-test is set |
There are 2 aspects. If the state was in transit to being reconciled and a new connection for tls-passthrough was attempted, then this would be expected. |
This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach |
Hit this bug also. |
It is possible that large volume of change being done concurrently, will cause delay in reload and error during reload. But the description of this issue is not enough to take any practical action on. We already know about the large sixe change reload performance. There is work in progress to mitigate that large size reload and security problem. If this issue is only about large size reload breaking ssl-passthrough even then there is no action item here for the project because when the controller process is stuck, then many things will break and not only ssl-passthrough. Having more compute or memory at the time and on the node where the reload process is happening may be a temporary workaround. This is inherited from nginx as vanilla nginx also will reload delay if the number of changes is too bug and all concurrent. Plain ssl-passthrough works without problems as even other software use it https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#kubernetesingress-nginx . Since there is no action-item tracking here in this issue I will close it because it is adding to the tally of open issues. /close |
@longwuyuan: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
What happened:
Ingress using ssl-passthrough stop working on some nginx config reload and finaly the request is sent to nginx and the fake certificate is display because no certificates are set on this ingress because it is ssl-passthrough
for example:
a full restart of nginx solve the issue during some times..
What you expected to happen:
Nginx-ingress-controller should continue to redirect request tcp to 10.105.235.186:5556 all time
NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):
Kubernetes version (use
kubectl version
):Environment:
uname -a
): 5.15.0-60-generic Start FAQ docs #66-UbuntuHow to reproduce this issue:
Create an ingress with ssl-passthrough:
add the parameter: --disable-full-test to ingress-controller
after some time and config reload the issue appear
Anything else we need to know:
the issue seems to be present only with --disable-full-test parameter set.
A restart of nginx reload all the config and solve the issue temporarly
The text was updated successfully, but these errors were encountered: